A plain English IT governance framework boards can actually use

When I mention IT governance to a business owner, I usually get one of two reactions. Either their eyes glaze over, or they say something like "that's for bigger companies than us."

Both reactions are understandable. And both are wrong.

IT governance is not a certification programme or a box-ticking exercise. At its simplest, it is just a question: does anyone in your business actually understand what technology you have, whether it is doing its job, whether it is secure, and whether you are getting value for what you spend on it?

In most SMEs I work with, the honest answer is no. They have IT support , which handles the day-to-day , but nobody with the independence to step back and look at the whole picture.

Why this matters more than compliance

Most conversations about IT governance focus on GDPR or Cyber Essentials or ISO 27001. Those things matter, but they are not the main reason to think about this.

The main reason is money and risk. Without any governance in place, IT costs tend to grow quietly every year. Licences accumulate. Old software renews automatically. Contracts that were right three years ago are still running even though the business has changed. Nobody challenges them because nobody has the full picture and nobody is paid to challenge them.

At the same time, risks build up silently. Systems that have not been updated. Backup processes that were set up once and never tested. Security products that cover risks you no longer have , and miss ones you now do.

None of this triggers a crisis immediately. It accumulates. And then something forces a reckoning.

Three approaches , and which one actually fits your business

There are three ways to approach IT governance, and they are worth understanding because they require very different levels of commitment.

Guidelines are informal best practices , helpful suggestions from industry bodies or regulators. They are flexible, which makes them easy to start with. They are also often vague, which means they can be interpreted loosely and end up meaning very little in practice.

Frameworks are more structured. The NIST Cybersecurity Framework is a widely used one , it organises security thinking into five areas: identify, protect, detect, respond, recover. Frameworks give you a clear structure to work within and are adaptable to your actual business. For most SMEs, a sensible framework applied pragmatically is the right answer. Not perfect, not certified, but real and useful.

Standards, like ISO 27001, are formal and auditable. Getting certified costs time and money. It is worth it if you work with large organisations or operate in regulated sectors where clients ask for it. It is probably not the right starting point if you have no governance in place at all.

Most of the businesses I work with start with getting a clear picture of where they are, then applying a light framework to the highest-risk areas, and building from there. That is not a certification programme. It is just sensible oversight.

The three mistakes I see most often

After working with a lot of SMEs on this, the same mistakes come up repeatedly.

The first is trying to do everything at once. A business decides to "do governance properly" and ends up producing a pile of documentation that nobody reads and nothing changes. Start with the areas where the risk is highest and the cost is clearest.

The second is treating it as an IT department issue. When governance sits entirely with the IT team, the rest of the business feels no ownership of it. The right decisions require input from finance, operations, and leadership. IT alone cannot make them.

The third is using generic policies downloaded from the internet. I have reviewed a lot of these. They are usually fine as a template. They are useless as a working policy, because they do not reflect how your business actually operates. A policy that does not match reality gives the impression of control without providing any.

Where to start if you have nothing in place

Before any framework or policy, you need honest answers to five questions:

• What systems does the business actually depend on to function?
• Who has access to what, and is that still the right list?
• Do you have working backups , and have you tested that they actually restore?
• Do you know what you are paying for IT and whether you are getting value from it?
• If your main IT system went down tomorrow, do you know what you would do?

If you cannot answer those confidently, that is your starting point. Not a framework document, not a certification. Just an honest audit of where you actually are.

"IT governance is not about creating paperwork. It is about having someone look at your technology with the business's interests in mind , not the IT supplier's."

If you want a plain English view of where your business stands, I am happy to have that conversation.